A new study by security researchers from the University of Cambridge claims that around 85 per cent of Android devices have been exposed to at least one of 13 critical vulnerabilities that the operating system has struggled with.

Researchers from the Computer Laboratory at the University of Cambridge have published a paper explaining a new scorecard they’ve developed to compare the security provided by different phone and tablet manufacturers. It’s called the FUM score, and it’s made up of three components, as they explain:

F: the proportion of devices free from known critical vulnerabilities.

U: the proportion of devices updated to the most recent version.

M: the number of vulnerabilities the manufacturer has not yet fixed on any device.

The ratings are combined into a single score between 0 and 10 to rate how effective a manufacturer is at keeping devices secure; 10 is best and 0 is worst. They gathered data from about 21,713 devices through an app, called Device Analyzer which has been available in the Play Store since 2011.

They could use the data from that app to establish which build of Android each phone was running at any particular time, and hence which vulnerabilities they were open to. Their analysis shows that the average score across al the devices is 2.87 out of 10. For some perspective, Nexus devices performed best, with a score of 5.2; the likes of Samsung, HTC and Sony clustered around the 2.5 mark; Symphony and Walton were among companies scored just 0.3.

Perhaps more interesting is the team’s analysis of how the operating systems being run by the 21,713 devices fared in their face of 13 of the biggest security holes to be discovered on Android. The graph below shows the proportion of devices that were found to be running insecure, maybe secure or secure versions of Android over time. The big vertical spikes show when a vulnerability was discovered.

On average, 85 per cent of the devices they considered were vulnerable to at least one critical vulnerability. “The security of Android depends on the timely delivery of updates to fix critical vulnerabilities”, write the researchers. “Unfortunately few devices receive prompt updates, with an overall average of 1.26 updates per year, leaving devices unpatched for long periods”. Hopefully, their score may shame manufacturers into doing something about it. [Cambridge University Computer Laboratory via Threat Post]